Revision as of 04:13, 14 July 2013

Injection context

Some applications use XML based datastore and sometimes XPATH query language to retrieve data from theses stores. The application can construct XPATH query expression from user input in order to select user dedicated data.

Injection objective

The objective of the injection is to submit a piece of XPATH language that will change the normal behavior of the target expression in order to retrieve more or differents data than expected.

Injection examples

For the examples we will take a case of an application that store employees informations using XML store with this structure:

Here the sensitive information is the annual salary then it's will be the target of the injection.

The application expect to receive, for the employee ID, an value like "AS789" but what is the application behavior if a user submit another value pattern ?

Sample value n°1:

'%20or%20'1'='1

Result:
All employees nodes are selected (in this case the user do not known the XML structure).

Sample value n°2:

'%20or%20fn:contains(fn:lower-case(@lastname),'dobora')%20or%20'

Result:
Employee where the last name contains "dobora" is selected (in this case the user has guessed the XML structure).

Injection countermeasure

Input used into an XPATH expression must not contains any of the characters below:

( ) = ' [ ] : , * / WHITESPACE

According to our example context, the modification to apply could be to create an application transversal utility method checking the presence of characters above and rejecting the value submitted if it's contains any one.